AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > Support > Tech Support

Notices

Reply
 
Thread Tools
Old 2009-08-31, 19:49   Link #1
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
vrxiqttico.exe

Well I got this program on my processes list, but I can't seem to find which program it designates to. Using Windows search turns out no results even with hidden files option turned on.

And for some reason, my system is starting to slow down and I am starting not to be able to access the internet.

Malwarebytes, Avast, and Spybot all turned up nothing. Anyone help?
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-08-31, 21:50   Link #2
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 41
When this happens,

1.) Download hijackthis and autoruns (can be Googled)
2.) Restart and go into safe mode (press F8 quickly at bootup after the BIOS screen)
3.) Now using hijackthis and autoruns, scan the entire system to see if some rogue trojan has just stuck onto startup. You will have to manually remove that leech by finding where it is and then deleting it (most of these are either hidden or lurking somewhere in the C:\Windows\System32 folder).
__________________
sa547 is offline   Reply With Quote
Old 2009-08-31, 23:25   Link #3
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by sa547 View Post
When this happens,

1.) Download hijackthis and autoruns (can be Googled)
2.) Restart and go into safe mode (press F8 quickly at bootup after the BIOS screen)
3.) Now using hijackthis and autoruns, scan the entire system to see if some rogue trojan has just stuck onto startup. You will have to manually remove that leech by finding where it is and then deleting it (most of these are either hidden or lurking somewhere in the C:\Windows\System32 folder).
Already tried that. Not working. I scoured the entire system32 and system folder and it turned up nothing unusual, even in safe mode.

Spoiler for screenie:


Spoiler for hijackthis - safemode:


Spoiler for hijackthis - normal mode:


Notice that the vrx executable does not turn up on the list of running processes, but in taskmanager it does.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.

Last edited by SaintessHeart; 2009-08-31 at 23:44.
SaintessHeart is offline   Reply With Quote
Old 2009-09-01, 01:42   Link #4
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 30
I'd run malware bytes and after that combofix
both programs create logs that you can post up here

prob the best help you can get for questions about this process is here:
http://www.hijackthis-forum.de/english-help/

They will surely ask you the same thing I just did, run malware bytes and combofix, run both and make a topic there where you post the hijack this log, malwarebytes log and the combofix log

include a description of the problem and the shots you've made =)

edit: I find it strange that I can't find much about this process at all, all I get is something about cars
what you could do is start a search for the filename in you C:/ dis prob in your windows
if you CAN find it upload it here: http://www.virustotal.com/nl/
this site scans the file with many different anti virus so you can make out if it is a hoax file or if it actually belongs there
-KarumA- is offline   Reply With Quote
Old 2009-09-01, 02:40   Link #5
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by -KarumA- View Post
I'd run malware bytes and after that combofix
both programs create logs that you can post up here

prob the best help you can get for questions about this process is here:
http://www.hijackthis-forum.de/english-help/

They will surely ask you the same thing I just did, run malware bytes and combofix, run both and make a topic there where you post the hijack this log, malwarebytes log and the combofix log

include a description of the problem and the shots you've made =)

edit: I find it strange that I can't find much about this process at all, all I get is something about cars
what you could do is start a search for the filename in you C:/ dis prob in your windows
if you CAN find it upload it here: http://www.virustotal.com/nl/
this site scans the file with many different anti virus so you can make out if it is a hoax file or if it actually belongs there
Similarly, I find it strange because I know how to read hijackthis logs. Anyway, does combofix have an update? Or is it supposed not to be able to run in safe mode?

Another thing is, there are TWO rundll32.exe, not just one in regular windows of running. Also I tried to monitor what the vrx program does by setting affinity to 1 CPU and lowest priority on taskmanager, but the results seem quite harmless (low CPU, pagefile and RAM usage).
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-09-01, 13:44   Link #6
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 30
Quote:
Originally Posted by SaintessHeart View Post
Similarly, I find it strange because I know how to read hijackthis logs. Anyway, does combofix have an update? Or is it supposed not to be able to run in safe mode?

Another thing is, there are TWO rundll32.exe, not just one in regular windows of running. Also I tried to monitor what the vrx program does by setting affinity to 1 CPU and lowest priority on taskmanager, but the results seem quite harmless (low CPU, pagefile and RAM usage).
combofix can be run in your regular windows mode, just don't run any other apps in the meantime (like firewall, anti virus it requires internet connection to download a windows recovery console which is advised, though a regular scan doesn't hurt it is when amateurs start putting in command codes that mess up your system that you will be needing that)

combofix looks old school but it is one of the best malware removal programs there is, even if it isn't able to remove something (whether you are un able to with Malware bytes or your anti virus) you can make a .txt script with code which allows combofix to remove the malware that cannot be removed in a regular scan (by dragging the .txt to the program itself) , but only the experts know this coding for this reason I posted the hijack this English forum, if you have something suspicious those are the guys that know what it is and if it is bad or not and if it is bad they can immediately tell you how to remove it without too much trouble

however combofix maybe you realize that combofix is not your regular scanner and is more like a last call or red emergency button when you are certain that you are infected, it isn't one made for all the time protection it is simply for a system clean swipe to see if all malware is gone and if not that it will be removed (or for pesky returning viruses or hidden spam bots)

edit:

as for the RUNDLL32.EXE, it seems to be malware according to this site (the capitals looked suspicious to begin with)
http://www.liutilities.com/products/...rary/rundll32/

to be certain you can upload the file to http://www.virustotal.com/
you can remove the entry C:\WINDOWS\system32\RUNDLL32.EXE but since I am not an expert to this subject I would still pin point you to the hijack this forum
so that if you might have any errors afterward they can help you further along the line
however a scan with the 2 scanners doesn't hurt anyone

Last edited by -KarumA-; 2009-09-01 at 14:03.
-KarumA- is offline   Reply With Quote
Old 2009-09-01, 13:49   Link #7
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 41
Odd... seems that the rogue file is trying to evade Hijackthis. Try renaming the Hijackthis filename to something like "cantseeme.exe" so that the trojan in question can't detect its presence if you try to run HJT.
__________________
sa547 is offline   Reply With Quote
Old 2009-09-01, 14:41   Link #8
Doughnuts
Senior Member
 
Join Date: Dec 2007
Location: England
Age: 31
Quote:
Originally Posted by SaintessHeart View Post
O4 - HKLM\..\Run: [Microsoft .NET Framework 3.5] C:\WINDOWS\TEMP\vrxiqqrtco.exe
It's there, and it isn't what it's saying it is. Get rid.
Doughnuts is offline   Reply With Quote
Old 2009-09-01, 15:42   Link #9
Haruyasha
名前は?
*Scanlator
 
 
Join Date: Oct 2006
Location: Washington
Age: 29
A friend put a virus on your computer?

Before you delete it, upload vrxiqqrtco.exe to http://virusscan.jotti.org/en and see what happens. (If it's small in size.)

If the exe is made with .NET framework, you could also NET Reflector it and see what's up.
Haruyasha is offline   Reply With Quote
Old 2009-09-02, 06:25   Link #10
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by Haruyasha View Post
A friend put a virus on your computer?

Before you delete it, upload vrxiqqrtco.exe to http://virusscan.jotti.org/en and see what happens. (If it's small in size.)

If the exe is made with .NET framework, you could also NET Reflector it and see what's up.
Heh my computer is exclusive access to me.....in the physical world that is. I haven't have as much time to pour over my system file by file on a regular basis as before since I enlisted.

Quote:
Originally Posted by -KarumA- View Post
as for the RUNDLL32.EXE, it seems to be malware according to this site (the capitals looked suspicious to begin with)
http://www.liutilities.com/products/...rary/rundll32/

to be certain you can upload the file to http://www.virustotal.com/
you can remove the entry C:\WINDOWS\system32\RUNDLL32.EXE but since I am not an expert to this subject I would still pin point you to the hijack this forum
so that if you might have any errors afterward they can help you further along the line
however a scan with the 2 scanners doesn't hurt anyone
Rundll32.exe is a main component in windows to make the Dynamic Link Library run. Without them, the system cannot startup.

If I recall, having rundll32 in caps ON TASKMGR would then register it as a harmful program, but apparently it doesn't on my PC. Besides, one of them is registered under SPIRUN, another of Microsoft's "important-but-we-can't-tell-you-what-it-is-because-it-is-market-secret" files. The other 2, under NvCplDaemon and NvMediaCenter are Nvidia's drivers.

I am not going to delete this first. Wait and see could be a good option.

Quote:
Originally Posted by Doughnuts View Post
It's there, and it isn't what it's saying it is. Get rid.
Sounds like it is another of the dotnetfx frameworks. But I don't recall installing any new redistributables since last month, and this file is created only 3-4 days ago.

Also, I can't find the file using Windows search, but the HKLM denotes that it is from the Windows Registry. If there is a key, where is the file?
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-09-03, 20:06   Link #11
WanderingKnight
Gregory House
*IT Support
 
 
Join Date: Jun 2006
Location: Buenos Aires, Argentina
Age: 29
Send a message via MSN to WanderingKnight
I'd say get rid of it. Malware is known to take random names, and a Google search turns up nothing. Which shouldn't happen to any file found under \system32 anyways.
__________________


Place them in a box until a quieter time | Lights down, you up and die.
WanderingKnight is offline   Reply With Quote
Old 2009-09-04, 10:28   Link #12
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by WanderingKnight View Post
I'd say get rid of it. Malware is known to take random names, and a Google search turns up nothing. Which shouldn't happen to any file found under \system32 anyways.
Got rid of it but my Mozilla is screwing me up with random 404s. On the other hand I have 2 instances of rundll32s running at the same time, and terminating them with Punkbuster seems to stack the odds in my favour.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.
SaintessHeart is offline   Reply With Quote
Old 2009-09-06, 17:18   Link #13
Tiberium Wolf
Senior Member
 
 
Join Date: Dec 2004
Location: Portugal
Age: 38
You could also get some more information about the running processes. I use Runalyzer to get the info.
__________________
Tiberium Wolf is offline   Reply With Quote
Old 2009-09-07, 03:53   Link #14
-KarumA-
(。☉౪ ⊙。)
*Author
 
 
Join Date: Jul 2004
Location: In Maya world, where all is 3D and everything crashes
Age: 30
when still in doubt, like I've said before, just use combofix it can save a lot of headaches
-KarumA- is offline   Reply With Quote
Old 2009-09-07, 09:26   Link #15
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by -KarumA- View Post
when still in doubt, like I've said before, just use combofix it can save a lot of headaches
Already did and it turned up nothing.

EDIT : It seems that my Avast is blocking attempts to contact a server at mx3.messagingengine.com. Must be the virus, and it runs under svchost.exe, a critical program. Lovely.

I tried these :

1. Expanding the file from msconfig using the windows disk. No effect. Hypothesis - Seems that the file ran from a separate location.

2. Ran security updates on KB894391 and KB921883. Still not working.

3. Came across this :

Spoiler for long:


With some help I found out the IP address is this.

Blocked the IP, but I made some modifications to the step as in :

- Setting filter options to Any IP address.
- A random string of authetication numbers and characters filling up an entire page in notepad that I don't even know what I put, and setting it as a preset shared key rather than using Kerberos V5.

Avast! is still monitoring the penetration from that IP as sending "mails", which I suspect those packets to be screenshots. Transmitting the packets seems to take less than half a second so it probably worked. Pinging the address on console seems registers "destination host unreachable", which means the method totally blocked it, but I haven't tried pinging it from alternate ports.

But such stuff are not without flaws, this only buys me time to find a way to uncorrupt my svchost.exe. Any suggestions?

P.S My head is bursting. The server is still trying to retrieve data from my PC. Looks like I need to do a format. But it seems to be targeting one VERY specific location, the system32\drivers folder. What the hell is it trying to do?
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.

Last edited by SaintessHeart; 2009-09-07 at 11:01.
SaintessHeart is offline   Reply With Quote
Old 2009-09-07, 10:53   Link #16
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 34
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
If Avast gives you a PID of svchost.exe, you can use process explorer (http://technet.microsoft.com/en-us/s.../bb896653.aspx) to look at the services registered in that process. That way you may be able to see exactly what is attempting to connect.
Epyon9283 is offline   Reply With Quote
Old 2009-09-07, 11:04   Link #17
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by Epyon9283 View Post
If Avast gives you a PID of svchost.exe, you can use process explorer (http://technet.microsoft.com/en-us/s.../bb896653.aspx) to look at the services registered in that process. That way you may be able to see exactly what is attempting to connect.
Right now I need one that gives me the port and address it attempts to connect to rather than just the PIDs. This one doesn't seem much of a use to me.

Besides, combining taskmanager and running tasklist /svc /fi "imagename eq svchost.exe" gives me better data, but I am still tied up here. Being a lazy person, I think I should just run a format. Doing this is crazy.

On the other hand, I am feeling lazy to do a format.

P.S This is annoying. It seems that attacker is REALLY hitting my system32\drivers. Found a rootkit generator called pln1916.sys in there a few minutes ago, shredded it.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.

Last edited by SaintessHeart; 2009-09-07 at 11:23.
SaintessHeart is offline   Reply With Quote
Old 2009-09-07, 14:37   Link #18
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 34
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
Yeah I'm not sure why you haven't formatted yet since you can't get rid of this malware and you're still not sure what exactly it's attempting to send out from your machine.
Epyon9283 is offline   Reply With Quote
Old 2009-09-08, 03:55   Link #19
SaintessHeart
NYAAAAHAAANNNNN~
 
 
Join Date: Nov 2007
Age: 29
Quote:
Originally Posted by Epyon9283 View Post
Yeah I'm not sure why you haven't formatted yet since you can't get rid of this malware and you're still not sure what exactly it's attempting to send out from your machine.
I don't have a backup for my important files.

P.S Blocked another IP address just now. Traced it Kysushu University.
__________________

When three puppygirls named after pastries are on top of each other, it is called Eclair a'la menthe et Biscotti aux fraises avec beaucoup de Ricotta sur le dessus.
Most of all, you have to be disciplined and you have to save, even if you hate our current financial system. Because if you don't save, then you're guaranteed to end up with nothing.

Last edited by SaintessHeart; 2009-09-08 at 04:59.
SaintessHeart is offline   Reply With Quote
Old 2009-09-08, 08:34   Link #20
sa547
Senior Member
*Author
 
 
Join Date: Oct 2007
Location: Philippines
Age: 41
If you're going to format the main hard disk, you could try to borrow a backup hard disk and plug it in, or using a partition utility in a bootable disk, try to split the hard disk into two partitions (and therefore, drives), move some of the important stuff to the other drive, then format drive C, reinstall Windows and software.

Have you tried this one? Rootkit Revealer?
http://technet.microsoft.com/en-us/s.../bb897445.aspx
__________________
sa547 is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 14:02.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
We use Silk.